| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAK8P3a36O-NbrKkt-DEEZE2A2JQ5Gu9GZ98j0BjoFET4kgTaWw@mail.gmail.com>
Date: Fri, 9 Feb 2018 13:57:44 +0100
From: Arnd Bergmann <arnd@...db.de>
To: Andrew Cooper <andrew.cooper3@...rix.com>
Cc: Boris Ostrovsky <boris.ostrovsky@...cle.com>,
Juergen Gross <jgross@...e.com>,
xen-devel <xen-devel@...ts.xenproject.org>,
David Laight <David.Laight@...lab.com>,
Dan Carpenter <dan.carpenter@...cle.com>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Kees Cook <keescook@...omium.org>,
Dan Williams <dan.j.williams@...el.com>,
David Woodhouse <dwmw@...zon.co.uk>
Subject: Re: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy
On Mon, Feb 5, 2018 at 4:14 PM, Andrew Cooper <andrew.cooper3@...rix.com> wrote:
> On 05/02/18 15:03, Arnd Bergmann wrote:
>
> Snipping deleted code to make things clearer:
>
>> + if (cmd > ARRAY_SIZE(physdevop_len))
>> + return -ENOSYS;
>>
>> + len = physdevop_len[cmd];
>> + memcpy(&op.u, arg, len);
>
> You'll want an array_nospec() or whatever its called these days. This
> code is SP1-leaky.
Maybe the best solution would be to remove the file completely. From
looking at the Xen git history, we only need this to run on Xen 3.0.2
or earlier, those early Xen releases (according to Wikipedia) never
even supported running modern kernel versions anyway, so the code
appears to be completely pointless here.
However, aside from this driver, I wonder if we should be worried about
Spectre type 1 attacks on similar code, when gcc-8 turns a switch/case
statement into an array lookup behind our back, e.g. in an ioctl handler.
Has anybody got this on their radar?
Arnd
Powered by blists - more mailing lists